Question ID : 216
Created on 2012-05-05 at 8:38 PM
Author : Guru Corner [email@example.com]
Online URL : http://kb.guru-corner.com/question.php?ID=216
Article Applies To:
Affected SonicWALL Security Appliance Platforms:
Gen5: NSA E8500, NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400 MX, NSA 240
Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless,
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless, TZ 150, TZ 150 W, TZ 150 Wireless (RevB)
Firmware/Software Version: All versions.
The " IKE Initiator: Remote Party timeout..." log shows several timeout messages and " IKE negotiation aborted due to timeout" after a short delay, indicates that there is a communication problem or the Initiator and Responder are unable to complete the Phase 1 negociations.
Logs on Initiator:
Resolution / Workaround:
If you receive an IKE Initiator: No response--remote party timeout error,
1. Checking the logs on the Responder SonicWALL will clearly display the exact problem, ensure that the Proposals are identical on both the VPN policies.
Logs on Responder:
If no log messages are available for the Initiator VPN device, then follow these steps:
2. Ensure that the Global VPN option and the VPN policy is enabled
3. Network connectivity between units. (Tip: you may try to connect via GVC software if GroupVPN is configured on the SonicWALL)
4. 'Disable this SA’ box is not checked in SA of IKE Responder (SonicOS Standard)
5. IPSec Gateway address in Initiator SA specifies WAN address of IKE Responder
6. If you are using FQDN in the IPSec Gateway Name or Address field, ensure that FQDN resolves to WAN address of IKE Responder
7. IKE Access Rules enabled on both SonicWALLs
8. No other firewalls in the path are blocking IKE (UDP 500, 4500) or IPSec Protocol 50 and 51.
9. Contact ISP to see if they're blocking IKE (UDP 500, 4500) or IPSec Protocol 50 and 51.
10. If using SonicOS Standard with Aggressive Mode VPN, m ake sure the remote end’s firewall name is specified on the host firewall’s VPN policy
11. I f the VPN Tunnel is being established with a 3rd Party VPN device, then make sure that NAT – T is disabled (in case there is no NAT device in front of the SonicWALL)
12. Check the Local and Peer IKE IDs in the VPN policy if you have setup the Site to Site VPN Policy between the SonicOS Enhanced and Standard firewalls
13. Click the Advanced tab of the VPN Policy, s et VPN to bind to Zone WAN.
Back to Original Question